Wietse Venema:
> Robert Sander:
>
> Checking application/pgp-signature: FAILURE
> -- Start of PGP signed section.
> > Hi,
> >
> > we encounter an issue with DANE-enabled Postfix
> > trying to deliver mail to a DNSSEC-enabled domain
> > that has no specific TLSA records for its MX but
> > obviously a wildcard CNAME entry:
> >
> > Sep 3 14:18:47 mailout1 postfix/smtp[30772]: warning: DANE TLSA lookup
> > problem: Host or domain name not found. Name service error for
> > name=_25._tcp.mail2.clarion-hotels.cz type=TLSA: Host not found, try again
>
> Looks like the DNS client is losing some query flags while resolving
> the CNAME record. I'll investigate further.
Further investigatation suggests that my local DNS resolver does
not support DNSSEC for wildcards, and therefore treats the CNAME
response as "not signed". This invalidates my test.
Wietse
